Filed Under

Review: The Tangled Web

I came across this book when looking for
a more practical follow-up to Applied
Cryptography. (Being a web
developer, my interests are focused around Internet security.) I believe Amazon
recommended it to me, and I was convinced by the pedigree of the publisher (No
Starch Press) and the credentials of the author (Daniel
Zalewski).

Zalewski seemed to anticipate my concerns specifically, and addressed them in
his introduction:

In any case, through the remainder of the book, I will shy away from attempts
to establish or reuse any of the aforementioned grand philosophical
frameworks and settle for a healthy does of anti-intellectualism instead. I
will review the exposed surface of modern browsers, discuss how to use the
available tools safely, which bits of the Web are commonly misunderstood, and
how to control collateral damage when things go boom.

And that is, pretty much, the best take on security engineering that I can
think of.

Historical Background

The book begins with an account of the development of the Internet through the
lens of browser vendors. Despite being familiar with the story of the browser
wars and et cetera, Zalewski maintains a focus on the technological effects of
the conflict. He presents a fascinating and disheartening account of how early
mistakes and in-fighting contributed to problems that have become endemic.

I plan on sharing the section, "A Brief History of the Web" with non-technical
friends who want to know more about the web as a platform.

This topic is returned to throughout the book when the author explains the
origin of various technologies.

Today

As should be expected, the book's main focus is the world wide web as it
functions today. I felt this to be a relatively complete tour of all the facets
of modern web applications. It begins with a very thorough coverage of the
seeminly-mundane task of URL parsing. This is a foreboding introduction to the
rest of the book: if something that would seem this straightforward is actually
quite complicated, the reader has to wonder what is in store for all the
nuanced tasks performed by the browser. By the end, the author is discussing
the implications of denial-of-service attacks on the browser along with
concerns surrounding window creation.

It was refreshing to get a new perspective on Web platform. Zalewski makes a
number of editorial asides that confirm many of my privately-held suspicions
(i.e. why do extenal stylesheets get included with a link tag instead of a
style tag with a src attribute, a la script?) and also challenge strange
behaviors that I had previously taken for granted (i.e. why is the cookie API
namespaced under the document object?).

Very often, the author points out that certain browser behaviors are dangerous
and immediately suggests ways to prevent exploits. In many cases, the security
implications of the exploit are not described (apparently left as an excersize
to the reader). It took effort to pause and piece together how some of these
things were dangerous, and I rarely did so. The cognitive leap that recognizes
"bizarre behavior" as "malicious exploit" is a fundamental skill for security
engineering, and it's unclear whether the author expects these details to be
self-evident, or if they were omitted for brevity. After all, you don't
necessarily have to understand how a security hole might be exploited in order
to patch it... but it helps a lot! I think elaboration on more of these
exploits (possibly given a distinct visual treatment) would have been very
instructive for readers seeking to develop their security reasoning abilities.

The Future

Zalewski ends this text with an analysis of upcoming browser features. These
are inherently exciting to me because they may have a significant effect on how
I reason about web security in the future.

As might be expected from his take on modern-day browser functionality, the
author is quite hard on proposed improvements. Critical coverage is probably
even more important for developing technology than it is for existing
technology. I say this because little editorial content exists on the web for
behavior that is still being drafted. The most visible resource for these
topics are the specification drafts themselves, and as one might expect, they
tend to be pretty one-sided.

(I have to admit that my own coverage of the upcoming Content-Security
Policy
is woefully lacking of constructive critisism. This is largely due to the fact
that I relied heavily on the specification itself to learn about the
technology, skewing my perspective. Zalewski's discussion of its shortcomings
was of particular interest to me.)

Mailing lists are probably the place to go for balanced discourse on these
topics, but I've never found them to be particularly discoverable or usable.
That observation is more of an inditement of my personal shortcomings as a
professional, but I think this section would have benefitted from some
information on the relevant mailing lists.

Conclusion

The book finishes on a slightly introspective note, questioning the true
significance of these security holes, and if we aren't focusing too much
attention on the wrong things. (As it happens, Zalewski's musings on the
importance of trust in society as it relates to security make for an extremely
fitting segue into the next book on my reading list: "Liars and
Outliars" by Bruce
Schneier.)

All in all, I found this book to be extremely fascinating and thorough.
Because I was reading it casually, it remains to be seen how much I was able to
internalize for my day-to-day work. Regardless, it will be living on my desk
for the foreseeable future, all full of earmarks.